[Intel-gfx] [PATCH 2/2] dim: sign pull-request tags if the GPG key is configured

Jani Nikula jani.nikula at intel.com
Mon Oct 2 09:22:11 UTC 2017 

On Mon, 11 Sep 2017, Sean Paul <seanpaul at chromium.org> wrote:
> On Mon, Sep 11, 2017 at 9:16 AM, Jani Nikula <jani.nikula at intel.com> wrote:
>> Add new environment variable $DIM_GPG_KEYID for configuring the GPG key
>> ID of the key to use for signing tags for pull requests. The tags will
>> be signed if the key ID is set, otherwise annotated tags will be used
>> like before.
>>
>> The drm-intel-testing tags are left unsigned, at least for now.
>>
>> Cc: Daniel Vetter <daniel.vetter at ffwll.ch>
>> Cc: Joonas Lahtinen <joonas.lahtinen at linux.intel.com>
>> Cc: Rodrigo Vivi <rodrigo.vivi at intel.com>
>> Cc: Sean Paul <seanpaul at chromium.org>
>> Signed-off-by: Jani Nikula <jani.nikula at intel.com>
>>
>> ---
>>
>> BEWARE OF THE LEOPARD! I didn't actually test this. I will try it when I
>> need to tag something next.
>>
>
> Just comment out git push and test this?

Finally got around to trying this out, works fine:
https://cgit.freedesktop.org/drm-intel/tag/?id=drm-intel-next-2017-09-29

The only snag is that now prep_pull_mail_overview() picks up the
signature from the tag object to the overview too.

Ack on merging these two out of the way, and fixing that separately (a
tiny bit of sed)?


BR,
Jani.



>
> Sean
>
>> We should probably also add verification to dim apply-pull.
>> ---
>>  dim     |  9 ++++++---
>>  dim.rst | 11 +++++++++++
>>  2 files changed, 17 insertions(+), 3 deletions(-)
>>
>> diff --git a/dim b/dim
>> index 23dfccb5513d..4d7864d8f450 100755
>> --- a/dim
>> +++ b/dim
>> @@ -70,6 +70,9 @@ DIM_TEMPLATE_SIGNATURE=${DIM_TEMPLATE_SIGNATURE:-$HOME/.dim.template.signature}
>>  # dim pull-request tag summary template
>>  DIM_TEMPLATE_TAG_SUMMARY=${DIM_TEMPLATE_TAG_SUMMARY:-$HOME/.dim.template.tagsummary}
>>
>> +# GPG key id for signing tags. If unset, don't sign.
>> +DIM_GPG_KEYID=${DIM_GPG_KEYID:+-u $DIM_GPG_KEYID}
>> +
>>  #
>>  # Internal configuration.
>>  #
>> @@ -1549,7 +1552,7 @@ function dim_update_next_continue
>>                 tag_testing="drm-intel-testing-$today-$((++suffix))"
>>         done
>>
>> -       $DRY git tag -a $tag $DIM_DRM_INTEL_REMOTE/drm-intel-next
>> +       $DRY git tag -a $DIM_GPG_KEYID $tag $DIM_DRM_INTEL_REMOTE/drm-intel-next
>>         git push $DRY_RUN $DIM_DRM_INTEL_REMOTE $tag
>>
>>         echo "Updating drm-intel-testing to latest drm-tip"
>> @@ -1589,7 +1592,7 @@ function dim_tag_next
>>                         tag="drm-intel-next-$today-$((++suffix))"
>>                 done
>>
>> -               $DRY git tag -a $tag $DIM_DRM_INTEL_REMOTE/drm-intel-next
>> +               $DRY git tag -a $DIM_GPG_KEYID $tag $DIM_DRM_INTEL_REMOTE/drm-intel-next
>>                 git push $DRY_RUN $DIM_DRM_INTEL_REMOTE $tag
>>         else
>>                 echo "drm-intel-next not up-to-date, aborting"
>> @@ -1650,7 +1653,7 @@ function dim_pull_request
>>                 done
>>                 gitk "$branch@{upstream}" ^$upstream &
>>                 prep_pull_tag_summary | $DRY git tag -F- $tag "$branch@{upstream}"
>> -               $DRY git tag -a -f $tag
>> +               $DRY git tag -a $DIM_GPG_KEYID -f $tag
>>                 $DRY git push $remote $tag
>>                 prep_pull_mail $req_file $tag
>>
>> diff --git a/dim.rst b/dim.rst
>> index 7aacc4e776e2..65e652e8bc75 100644
>> --- a/dim.rst
>> +++ b/dim.rst
>> @@ -349,6 +349,8 @@ recipients already set.
>>  Since the tag for the *branch* is date based, the pull request can be
>>  regenerated with the same commands if something goes wrong.
>>
>> +The tag will be signed using the key specified by \$DIM_GPG_KEYID, if set.
>> +
>>  pull-request-fixes [*upstream*]
>>  -------------------------------
>>  **pull-request** shorthand for *drm-intel-fixes* as the branch and
>> @@ -391,6 +393,8 @@ opened.
>>  Also checks that the drm-intel-fixes|-next-queued are fully
>>  merged into drm-tip to avoid operator error.
>>
>> +The tag will be signed using the key specified by \$DIM_GPG_KEYID, if set.
>> +
>>  update-next-continue
>>  --------------------
>>
>> @@ -405,6 +409,8 @@ remote is up-to-date. Useful if drm-intel-next has been changed since the last
>>  run of the update-next command (e.g. to apply a hotfix before sending out the
>>  pull request).
>>
>> +The tag will be signed using the key specified by \$DIM_GPG_KEYID, if set.
>> +
>>  DIM HELP COMMANDS
>>  =================
>>
>> @@ -498,6 +504,11 @@ DIM_TEMPLATE_TAG_SUMMARY
>>  -------------------------
>>  Path to a file containing the template for dim pull-request tag summaries.
>>
>> +DIM_GPG_KEYID
>> +-------------
>> +GPG key ID to use for signing tags. If set, tags will be signed. If unset, the
>> +default, tags will not be signed.
>> +
>>  dim_alias_<alias>
>>  -----------------
>>  Make **<alias>** an alias for the subcommand defined as the value. For example,
>> --
>> 2.11.0
>>

-- 
Jani Nikula, Intel Open Source Technology Center

More information about the Intel-gfx mailing list